St. Joseph’s/Candler Faces Lawsuits in Wake of Ransomware Attack

Two class action lawsuits were filed against St. Joseph’s/Candler (SJ/C) alleging that the large Georgia health system was negligent in preventing a December 2020 ransomware attack that went undetected for six months and resulted in system-wide outages and EHR downtime.

On August 28, Georgia resident Daniel Elliot filed a lawsuit on behalf of himself and the 1.4 million impacted individuals whose information was breached in the attack, according to Savannah Morning News.

The lawsuit alleged that SJ/C violated its own privacy policy and failed to secure patient information and enact safeguards to prevent the ransomware attack. The plaintiffs are seeking a jury trial, monetary relief, and payment for attorney fees.

The plaintiffs argued that the region’s largest health system failed to “design, adopt, implement, control, direct, oversee, manage, monitor and audit appropriate data security process, controls, policies, procedures, protocols and software and hardware systems.”

SJ/C said in an August 10 press release that it discovered suspicious activity on June 17, 2021. Further investigations revealed that an unauthorized third party had been continuously accessing the health system’s IT network for six months. Upon discovery, the actor deployed ransomware that made files inaccessible.

On August 20, SJ/C announced that it was once again fully operational. The attack had forced providers to document clinical notes on pen and paper.

Another patient filed a class action suit on September 14 seeking damages as a result of the incident.

“It wasn’t a simple software glitch or temporary power outage. It was, instead, a complete information technology (IT) meltdown,” the filing stated.

“Everything, from electronic medical record[s] (EMR) used to document encounters to the lab, radiology and billing software, went down. Even the phones, which are formatted as voice over the internet protocol (VOIP) devices, stopped working. All of St. Joseph’s/Candler usual patient encounter protocols were immediately rendered ineffective. The hospital system was, in essence, flying blind.”

The lawsuit cited FBI flash alerts, CISA guidance, and the formation of the Joint Cybersecurity Advisory in 2020 as clear precursors to the breach. With all of these warnings, the Plaintiffs suggested that SJ/C should have seen the attack coming and implemented better cybersecurity protocols.

SJ/C is the latest major health system to face backlash over its handling of a ransomware attack. In June, major California health system Scripps Health faced two class action lawsuits after a May ransomware attack that plaintiffs allege was completely preventable.

Just a few days after Illinois-based DuPage Medical Group notified over 600,000 patients of a ransomware attack that may have compromised protected health information (PHI), two patients filed a class action lawsuit. The lawsuit alleged that DuPage did not do enough to prevent the attack and delayed telling patients about the breach.

In another instance, Massachusetts-based Sturdy Memorial Hospital was presented with a lawsuit claiming that the provider failed to safeguard its data against ransomware attacks. Sturdy Memorial Hospital unadvisedly paid the requested ransom to hackers after a breach that impacted 35,000 individuals.